The flaw is in the vCalendar plugin and was fixed upstream in November. It looks like it was fixed in 3.9.0, but I'm not 100% sure. If so, it would only impact Mageia 2. It looks to be a pretty low impact/severity issue, so we could possibly just check a patch into SVN and not issue an update right away. The RedHat bug has some good references: https://bugzilla.redhat.com/show_bug.cgi?id=877372
CC: (none) => julien.moragny
CC: (none) => jani.valimaa
Hi, It impacts cauldron as well. I just pushed 3.9.0-2 with the upstream patch to fix this in cauldron. I also pushed an update to updates_testing for mga2 but I messed up the release tag (2.1 instead of 1.2). I will ask sysadm to remove the packages.
Status: NEW => ASSIGNEDAssignee: bugsquad => julien.moragny
claws-mail-plugins has been removed from updates_testing, so you may fix the release tag and resubmit. Also, I just noticed that the name of the PDF viewer plugin doesn't quite match in mga2 and Cauldron. In mga2 it has an underscore, which seems to be correct and consistent with the way the other subpackages are named, but in Cauldron it doesn't have the underscore. I added it in mga2 when I had to update to 3.8.1 for a previous security update: http://svnweb.mageia.org/packages/updates/2/claws-mail-plugins/current/SPECS/claws-mail-plugins.spec?r1=311823&r2=311825 I recommend renaming it in the Cauldron package. If you don't want to, it needs to obsolete the mga2 one.
Summary: claws-mail-extra-plugins new security issue CVE-2012-5527 => claws-mail-plugins new security issue CVE-2012-5527
Source RPM: claws-mail-extra-plugins => claws-mail-plugins
Thank you Here is a proposal of advisory : ======================== Updated claws-mail-plugins packages fix security vulnerabilities: A security flaw was found in the way vCalendar plug-in of Claws Mail displayed user credential information in the system tray display when using https scheme. A local attacker could use this flaw to obtain user credentials (username and password) used for connection to remote point. (CVE-2012-5527) References: http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2782 https://bugzilla.redhat.com/show_bug.cgi?id=877372 ======================== Updated packages in core/updates_testing: ======================== claws-mail-acpi-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-address_keeper-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-attachwarner-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-att_remover-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-bsfilter-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-clamd-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-fancy-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-fetchinfo-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-gtkhtml2_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-mailmbox-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-newmail-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-notification-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-pdf_viewer-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-perl-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-plugins-debug-3.8.1-1.2.mga2.x86_64.rpm claws-mail-python-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-rssyl-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-spam_report-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-tnef_parse-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-vcalendar-plugin-3.8.1-1.2.mga2.x86_64.rpm claws-mail-vcalendar-plugin-devel-3.8.1-1.2.mga2.x86_64.rpm Source RPM: claws-mail-plugins-3.8.1-1.2.mga2.src.rpm
Regarding, pdf_viewer, I just pushed a package with the renaming, it was an error. thanks
Hi QA, I just pushed an update for claws-mail-plugins in mga2 updates_testing (see above for the advisory). I don't have a way to easily test the update as it need a vcal server with https auth. When you use this kind of server, when fetching, the systray icon should not display the credentials of the account (see upstream bug report for a screenshot). thanks & regards. Julien
Assignee: julien.moragny => qa-bugs
Patch checked into Mageia 1 SVN.
Testing complete mga2 32 Just loaded as many of the plugins as I could into claws and configured a random webcal calendar from the internet. No errors after updating and vcalendar still works ok.
Whiteboard: (none) => has_procedure mga2-32-OK
Testing mga2 64 Newmail plugin is not functional it gives an error when installed. Error: No such file or directory Plugin is not functional.
Hi, thanks for the testing. After investigation, Newmail plugin needs an existing Mail directory inside $HOME and doesn't create one if it isn't present before loading. I will raise a bug upstream.
and here it is http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2859
I've created a new mageia bug for it, bug 8725, it was the same in the version in updates. It won't hold up this update.
Other than newmail everything seems fine so testing complete mga2 64 Validating Advisory & srpm in comment 3 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-32-OK => has_procedure mga2-32-OK mga2-64-OK
Updaate pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0014
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED